Hi everybody,
Quoting from http://edns-ping.org :
EDNS-PING is an option within the EDNS DNS framework which allows
nameservers to protect themselves from certain "spoofing" attacks.
By default, responses to DNS questions are matched to their questions by
making sure they share the same DNS transaction ID, IP and network
endpoints.
In certain scenarios, it may be feasible for an external attacker to
inject responses that artificially match the criteria outlined above.
This problem would not occur if the DNS transaction ID would not have
been limited to 65536 distinct values.
EDNS-PING in effect allows for a far longer DNS transaction ID, making it
infeasible for an external attacker to inject "fake" responses.
EDNS-PING is a work of David Ulevitch of OpenDNS, and of me.
Not much noise was made about this, but PowerDNS Authoritative Server 2.9.22
shipped with EDNS-PING support built in.
Today, this is complemented by a PowerDNS Recursor 3.1.8-prerelease, which
can make use of EDNS-PING to protect your DNS queries from spoofing.
Please find the snapshot on:
http://svn.powerdns.com/snapshots/pdns-recursor-3.1.8-pre.tar.bz2
To test, try to resolve 'www.edns-ping.org', and watch the log file, which
should then contain the following message:
Feb 08 01:21:00 We welcome 85.17.219.217 to the land of EDNS-PING!
For more information, see http://edns-ping.org
PS: This is another very good reason to upgrade your authoritative PowerDNS
servers to 2.9.22!
Bert
--
http://www.PowerDNS.com Open source, database driven DNS Software
http://netherlabs.nl Open and Closed source services